I have 2fa activated for my admin account, but when I create a device session for mobile, it allows me to login without a using 2fa. I am curious for the reason for this.
Is this because when I log in with my device, it creates a trusted device? So that the password will only work in conjunction with that specific device?
Yes, it is called app-specific password. Most apps are unable to handle 2fa requests and therefore these specific accounts are being created.
I appreciate the response j-ed.
I have a follow up question: is the app specific password only used once? Or can it be used many times?
Ideally, I am hoping that it would only be used once so that I never have to worry about the password leaking and using it again.
The password is set-up once for an application and re-used automatically to access Nextcloud as it is required. The passwords are relatively long and random character strings so that they are difficult to guess.
It is not possible to log in to the web frontend with an app password so it gives no access to the administrative interfaces that can only be reached there.
You can also see all registered devices and when they were last active in the security tab of your personal settings. File access can also be prohibited there or a connection (which includes the used app password) can be revoked.
If a device with file access falls into wrong hands, you can also activate remote deletion, which will delete files that are already on the device.
Much luck,
ernolf
Hey ernolf,
Thank you for taking the time to respond.
To clarify, I am not attempting to log in to the web-interface with the app password: I am attempting use the app-password to log in to the Nextcloud mobile app so I can sync my calendar, tasks, and notes.
My main concern is the security of logging in to my Nextcloud account via my phone: I worry about accidentally leaking my log in credentials.
When I asked if the app-password can only be used once, my goal is to understand if the same app-password can be used to access my account through multiple mobile devices.
Is it possible to use the same app-password on multiple devices?
I’m not a 100% sure whether multiple applications can use the same app password at the same time, but they can defintely be re-used after reinstalling an app, which leads me to the assumtion that the former would probably work as well (did not test it).
So, in theory, using app passwords reduces the overall security of an account, at least a little bit. However, as long as you don’t use them on a compromised device that sends your clipboard or keystrokes to a command-and-control server while setting up the app in question, you should be fine. 
Bruteforce attacks are definetly a non-issue in this context becuase the app passwords are too strong.